As much as we might want to prevent them by policies, odds are that a shared user account will be created at some point. In order to mitigate the potential issues with such accounts (lack of accountability, lack of control, account available to just about anyone to mention a few), there are a number of steps we can take, including limiting what network shares can be accessed, logon hours, and what computers the account may log on to. By default, user accounts can log on to all computers in Active Directory. This can be limited on a per-user basis. Here is how:
- In Active Directory Users and Computers, search for the account
- Open the user profile
- Go to the “Account” tab, and click “Log On To…”
- Activate the radio button for the option “The following computers”:
- Add the desired computers to the list.
Once that’s done, save your changes, and you are done.